This works perfectly except it requires ALL of my users to be in the "Product Users" OU when I would actually like to have all of my users organized into various child OUs under our "Product Users" OU. Is this possible?

(Note that this is a partial repost of this question but the question I'm asking here was never answered there.)

This doesn't answer your question, but have you considering doing this programmatically?
–
Daniel Allen LangdonJun 8 '10 at 21:28

@Rising Star: You mean creating N different LDAP connectionstrings and looping through each one of them to validate a user? That sounds/feels like a bad idea. But no, I have not tried this.
–
JaxidianJun 9 '10 at 16:08

It means you have fine grained control of the security of your application logic based on domain user group membership, if a user is in your domain this will authenticate them, but it may not authorise them (thats down to your role provider configuration).

"any user will then be authenticated that is a member of the domain" - this is incorrect. This only authenticates users in the "Domain Users" OU.
–
JaxidianSep 23 '11 at 15:58

I think all users are considered but only groups / OU's that are children of the connection scope can be "checked" / used in rules for assessing membership (i think ... been a whilse since i did this) ... most people just connect to the root of their directory server LDAP directory to avoid the confusion
–
WardyOct 14 '11 at 12:24

Using the approach i have suggested above will deny access to all users accept those in the Domain Admins and Product Users roles, everyone else will be "authenticated" but not "authorised" to use the application.
–
WardyOct 14 '11 at 12:27